b"   February 24, 2006\n\n\n\n\nInformation Technology Management\n\nSelect Controls for the Information\nSecurity of the Ground-Based Midcourse\nDefense Communications Network\n(D-2006-053)\n\n\n\n\n            Department of Defense\n           Office of Inspector General\nQuality                Integrity     Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit, Audit Followup and Technical Support at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                    ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Department of Defense Inspector General\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nCIO                   Chief Information Officer\nGAO                   Government Accountability Office\nGCN                   GMD Communications Network\nGMD                   Ground-Based Midcourse Defense\nIA                    Information Assurance\nMAC                   Mission Assurance Category\nMDA                   Missile Defense Agency\nOMB                   Office of Management and Budget\nPOA&M                 Plan of Action and Milestones\nSSAA                  System Security Authorization Agreement\n\x0c                              INSPECTOR GENERAL\n                            DEPARTMENTOFDEFENSE\n                             400 ARMY NAVY DRIVE\n                        ARLINGTON. VIRGINIA 22202-4704\n\n\n\n\n                                                                           February 24,2006\nMEMORANDUM FOR DIRECTOR, MISSILE DEFENSE AGENCY\n               CHIEF INFORMATION OFFICER, MISSILE\n                 DEFENSE AGENCY\nSmJECT: Report on Select Controls for the Information Security of the\n        Ground-Based Midcourse Defense Communications Network (Report\n        No. D-2006-053)\n\n\n      We are providing this report for review and comment. We considered\nmanagement comments on a draft of this report when preparing the final report.\n\n        DoD Directive 7650.3 requires that all recommendations be resolved promptly.\nThe comments of the Deputy Director, Missile Defense Agency, responding for the\nDirector, Missile Defense Agency, were partially responsive or nonresponsive to some of\nthe recommendations. As a result of manaeement comments.  ~~.we revised\n                                                                  ~~~   ~-~~\n\nRecommendation 1. T'hcrcforc, we rcqucs;that the ~ircctor,Missile Dcfcnse Agency,\nprovide additional comments on those recomrncndations by March 23,2006.\n\n       If possible, please send management comments in electronic format (Adobe\nAcrobat file only) to AudRLS@dodig.osd.mil. Copies of the management comments\nmust contain the actual signature of the authorizing official. We cannot accept the\n/ Siened / svmbol in olace of the actual sienature. If vou arranee to send classified\ncoknents ~lectroni~ally,   they must be s&t over the SECRET h e m e t Protocol Routa\nNetwork (SIPRNET).\n         We appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Kathryn M. Truex at (703) 604-8966 (DSN 664-8966) or Ms. Karen J. Lamar at (703)\n604-9005 (DSN 664-9005). See Appendix C for the report distribution. The team members\nare listed inside the back cover.\n                                  By direction of the Deputy Inspector General for Auditing:\n\n\n                                   u-\n                                    i3.\n                                        7,\n\n\n\n\n                                                         m\n                                             Wanda A. Scott\n                                       Assistant Inspector General\n                                      Readiness and Logistic Support\n\x0c                    Department of Defense Office of Inspector General\n  Report No. D-2006-053                                                     February 24, 2006\n     (Project No. D2005-D000AL-0152)\n\n       Select Controls for the Information Security of the Ground-Based\n                 Midcourse Defense Communications Network\n\n                                    Executive Summary\n\nWho Should Read This Report and Why? The Director and Chief Information Officer, Missile\nDefense Agency, and other Missile Defense Agency managers responsible for making operational\nand information assurance-related decisions pertaining to the Ground-Based Midcourse Defense\nCommunications Network should read this report to reduce the risk of interruption, misuse,\nmodification, and unauthorized access to information in the system. Additionally, all DoD\nComponent Chief Information Officers with oversight responsibilities for contractor-owned or\noperated systems should read this report.\n\nBackground. This report is one in a series on operational control reviews at the Missile Defense\nAgency. In May 2003, the President directed DoD to field an initial set of missile defense\ncapabilities and begin operating them in 2004 and 2005. In recent years, more countries are\ndeveloping sophisticated missiles that are capable of reaching the United States. Ballistic\nmissile defense is a challenging mission because of the speed and altitude of a ballistic\nmissile. In late 2004, the United States fielded the initial Ballistic Missile Defense System\nthat can be used for limited defense operations. The Ballistic Missile Defense System is\ncomprised of various elements to include the Ground-Based Midcourse Defense system,\nwhich is contractor-owned and operated. The system includes infrastructure, sensors, radars,\nand interceptors, which are connected by the Ground-Based Midcourse Defense\nCommunications Network. This network provides connectivity for all system components to\ntransfer and process information to operators performing engagement activities.\n\nDoD Component Heads are required to establish minimum information assurance controls\noutlined in DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February 6,\n2003, for all systems in order to protect the integrity, availability, and confidentiality of the\ninformation in that system. The Missile Defense Agency Chief Information Officer established\nthe Ground-Based Midcourse Defense Communications Network\xe2\x80\x99s baseline of required\ninformation assurance controls as the most stringent for integrity, availability, and\nconfidentiality.\n\nDoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification and\nAccreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, requires that DoD Component and\nDoD contractor information technology systems and networks undergo a formal certification and\naccreditation process to authorize systems to operate. During the DoD Information Technology\nSecurity Certification and Accreditation Process, the information assurance controls of DoD\nInstruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February 6, 2003, are\nimplemented. The certification and accreditation process culminates in a decision to grant a\nsystem an authority to operate, an interim authority to operate, or no authority to operate.\n\nResults. Missile Defense Agency officials had not prepared a System Security Authorization\nAgreement for the Ground-Based Midcourse Defense Communications Network. Additionally,\n\n\n                                                 i\n\x0cavailable security documentation did not properly reflect current operations of the network.\nMissile Defense Agency officials also had not fully implemented information assurance\ncontrols required to protect the integrity, availability, and confidentiality of information in the\nGround-Based Midcourse Defense Communications Network. Specifically, the Missile\nDefense Agency program office for the Ground-Based Midcourse Defense Communications\nNetwork did not provide information assurance awareness training to prior to being granted\naccess, conduct reviews for unauthorized access, properly implement or document user access\nprocedures and controls, and prepare contingency and incident response plans. Further, a\nPlan of Action and Milestones designed to assist managers in correcting security weaknesses\nhad not been prepared. As a result, Missile Defense Agency officials may not be able to\nreduce the risk and extent of harm resulting from misuse or unauthorized access to or\nmodification of information of the Ground-Based Midcourse Defense Communications\nNetwork and ensure the continuity of the network in the event of a disruption. Additionally,\nthe Missile Defense Agency Chief Information Officer and the Designated Approving Authority\nmay not be able to make appropriate management-level decisions relating to the security of the\nGround-Based Midcourse Defense Communications Network if required key documents are not\nprepared, updated, or tested. See the Finding section of the report for the detailed\nrecommendations.\nManagement Comments. The comments of the Deputy Director, Missile Defense Agency,\nresponding for the Director, Missile Defense Agency, were partially responsive or\nnonresponsive to some of the recommendations. See the Finding section of the report for a\ndiscussion of management comments on the recommendations and the Management Comments\nsection of the report for the complete text of the comments.\n\nWe request that the Director, Missile Defense Agency comment on this report by March 24,\n2006.\n\n\n\n\n                                                 ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\n\nBackground                                                                1\n\n\nObjectives                                                                2\n\n\nFinding\n     Ground-Based Midcourse Defense Communications Network Information\n        Security Status                                                  4\n\nAppendixes\n     A. Scope and Methodology                                            16\n     B. Prior Coverage                                                   17\n     C. Report Distribution                                              18\n\nManagement Comments\n     Missile Defense Agency                                              21\n\x0cBackground\n\n            In May 2003, the President directed DoD to field an initial set of missile defense\n            capabilities and begin operating them in 2004 and 2005. The mission of the\n            Missile Defense Agency (MDA) is to develop an integrated Ballistic Missile Defense\n            System to defend the United States, its deployed forces, and allies from ballistic\n            missiles. In recent years, more countries are developing sophisticated missiles that\n            are capable of reaching the United States. Ballistic missile defense is a challenging\n            mission because of the speed and altitude of a ballistic missile.\n\n            In late 2004, the United States fielded the initial Ballistic Missile Defense System\n            that can be used for limited defense operations. The Ballistic Missile Defense\n            System is comprised of various elements to include the Ground-Based Midcourse\n            Defense (GMD) system. The GMD system consists of the following components:\n\n                    \xe2\x80\xa2    GMD Communications Network (GCN);\n\n                    \xe2\x80\xa2    Command Launch Equipment, Fire Control Communications, Ground\n                         Based Support, and In-Flight Interceptor Communications Systems;\n                         and\n\n                    \xe2\x80\xa2    sensors, radars, and interceptors.\n\n            The GCN provides connectivity for all GMD components in order to transfer and\n            process information to operators performing engagement activities. The MDA\n            Program Office for GMD is responsible for the information assurance (IA) and the\n            certification and accreditation of all components of the GMD system.\n\n            GMD Communications Network. The GCN, a contractor-owned and operated\n            system, has two main components\xe2\x80\x94encrypted and unencrypted equipment\xe2\x80\x94both\n            comprised of a communications and a monitoring system. The communications\n            systems receive information from the various sensors and radars and transmits that\n            information to the various components of GMD. The monitoring systems report on\n            the health and status of the communications systems. The GCN has been in\n            development since January 2001.\n\n            DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February 6,\n            2003, requires that all DoD information systems maintain an appropriate level of IA\n            by establishing a baseline of controls for integrity, availability, and confidentiality.\n            The DoD Component Head is required to designate a Mission Assurance\n            Category (MAC)1 level for all systems in order to determine those minimum\n            IA controls identified in DoD Instruction 8500.2 to protect the integrity and\n            availability of the information in that system. The MDA Chief Information Officer\n            (CIO) designated the GCN as a MAC I system in the DoD Information Technology\n\n\n1\n    A MAC level is identified for all DoD information systems and reflects the importance of information\n    relative to the achievement of DoD goals and objectives, particularly the warfighters\xe2\x80\x99 combat mission.\n    MAC I systems are those that require the most stringent DoD Instruction 8500.2 controls for integrity and\n    availability.\n\n\n\n                                                       1\n\x0c            Registry.2 For MAC I systems, the IA controls for integrity and availability are\n            always the most stringent. The confidentiality level for MAC I systems is determined\n            by whether the system processes classified, sensitive, or public information. MDA\n            Policy Memorandum, \xe2\x80\x9cDesignated Approving Authority (DAA) Accreditation\n            Directions to Ballistic Missile Defense System (BMDS) Elements for Mission\n            Automated Information Systems,\xe2\x80\x9d April 13, 2004, mandated that Ballistic Missile\n            Defense System mission systems and elements implement the classified\n            IA controls identified in DoD Instruction 8500.2. The baseline of IA controls for\n            the GCN is the most stringent for integrity, availability, and confidentiality.\n\n            Certification and Accreditation Process. DoD Instruction 5200.40, \xe2\x80\x9cDoD\n            Information Technology Security Certification and Accreditation Process\n            (DITSCAP),\xe2\x80\x9d December 30, 1997, requires that DoD Component and DoD\n            contractor information technology systems and networks establish a formal\n            certification and accreditation process to authorize systems to operate.\n            DoD 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology Security\n            Certification and Accreditation Process,\xe2\x80\x9d July 31, 2000, standardizes the certification\n            and accreditation process throughout DoD. During the DoD Information Technology\n            Security Certification and Accreditation Process, the IA controls of DoD\n            Instruction 8500.2 are implemented. A Systems Security Authorization Agreement\n            (SSAA) documents the actions, decisions, IA requirements, and the level of effort\n            needed to certify and accredit any information system. The DoD Information\n            Technology Security Certification and Accreditation Process is composed of\n            activities and tasks designed to protect information systems and networks from loss,\n            alteration of, denial of access to, or unauthorized access to system information. The\n            certification and accreditation process culminates in a decision to grant a system an\n            authority to operate, an interim authority to operate,3 or no authority to operate. In\n            March 2005, the MDA Designated Approving Authority granted the GCN a six\n            month interim authority to operate and, in August 2005, renewed that interim\n            authority to operate for an additional six months.\n\n\nObjectives\n\n            The overall audit objective was to determine whether information security operational\n            controls operate effectively and provide an appropriate level of IA. Specifically, the\n            audit assessed the adequacy and effectiveness of the security program, access\n            controls, and contingency and continuity of operations plans. We also evaluated the\n            management control program related to the objective. This report addresses the GCN\n            and is one in a series on information security reviews at MDA. See Appendix A for a\n            discussion of the audit scope and methodology.\n\n\n\n2\n    The Information Technology Registry is the official database for the DoD-wide inventory of mission\n     critical, mission essential, and select mission support systems. That Registry contains security status for\n     such things as accreditation, risk management, security, incident response, contingency plans, and\n     security testing.\n3\n    An interim authority to operate is issued when a system does not meet the system security requirements\n    but the mission criticality mandates that it become operational.\n\n\n\n                                                         2\n\x0cManagement Control Program Review\n\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996, require DoD organizations to implement a comprehensive system\n    of management controls that provides reasonable assurance that programs are\n    operating as intended and to evaluate the adequacy of the controls.\n\n    Scope of the Review of the Management Control Program. We performed tests of\n    the Management Control Program by performing the procedures used to accomplish\n    our objective. The objective was to assess the adequacy and effectiveness of the\n    security program, access controls, and contingency and continuity of operations\n    plans. By performing the procedures to review those controls, in effect, we tested the\n    Management Control Program for those select operational controls.\n\n    Adequacy of Management Controls. We found weaknesses in the Management\n    Control Program for the security program, access controls, and contingency and\n    continuity of operations plans. For specific results of those weaknesses, see the\n    Finding section of the report. The recommendations, if implemented, will correct the\n    identified weaknesses. A copy of the report will be provided to the senior official\n    responsible for management controls at MDA.\n\n    Adequacy of Management\xe2\x80\x99s Self-Evaluation. We found weaknesses in\n    management\xe2\x80\x99s self-evaluation processes for implementing IA controls for the\n    GCN. MDA reviewed the adequacy of management controls by performing\n    financial, operational, compliance, and program reviews and audits; however,\n    they performed no IA reviews of their information systems. Additionally, the\n    MDA CIO did not identify any reportable material weaknesses and assured in his\n    management control assessment that information technology was adequately\n    protected.\n\n\n\n\n                                          3\n\x0c            Ground-Based Midcourse Defense\n            Communications Network Information\n            Security Status\n            MDA officials had not prepared an SSAA for the GCN. Additionally,\n            available security documentation did not properly reflect current operations\n            of the network. MDA officials also had not fully implemented select\n            IA controls required to protect the integrity, availability, and confidentiality\n            of GCN information. Specifically, the MDA program office for the GCN did\n            not:\n\n                    \xe2\x80\xa2   provide IA awareness training to GCN users prior to being\n                        granted access to the GCN;\n\n                    \xe2\x80\xa2   conduct reviews for unauthorized access;\n\n                    \xe2\x80\xa2   properly implement or document user access procedures and\n                        controls; and\n\n                    \xe2\x80\xa2   prepare contingency and incident response plans.\n\n            Further, a Plan of Action and Milestones (POA&M) designed to assist\n            managers in correcting security weaknesses was not prepared. MDA\n            officials did not prepare required documents and implement IA controls\n            because they did not conduct adequate oversight of the GCN IA program,\n            update the development contract to adhere to DoD policy, or assign IA roles\n            and responsibilities for the GCN development process. As a result, MDA\n            officials may not be able to reduce the risk and magnitude of harm resulting\n            from misuse or unauthorized access to or modification of information of the\n            GCN and ensure the continuity of the system in the event of a disruption.\n            Additionally, the MDA CIO and the Designated Approving Authority may\n            not be able to make appropriate management-level decisions relating to the\n            security of the GCN if required key documents are not prepared, updated, or\n            tested.\n\n\nSystem Security Authorization Agreement\n\n     MDA officials had not prepared an SSAA for the GCN. Additionally, available\n     security documentation did not properly reflect current operations of the network.\n\n     System Security Authorization Agreement. The DoD Information Technology\n     Security Certification and Accreditation Process uses a single document approach\xe2\x80\x94\n     the SSAA\xe2\x80\x94for the certification and accreditation process. The SSAA is designed to\n     fulfill the requirements of Office of Management and Budget (OMB) Circular A-130,\n     \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d November 2000, for a security\n     plan and to meet all Federal, DoD, and MDA requirements for documentation of\n     system and network certification and accreditation. The SSAA is used throughout the\n\n\n\n                                           4\n\x0c           DoD Information Technology Security Certification and Accreditation Process to\n           guide actions, document decisions, specify IA requirements, document certification\n           tailoring and level of effort, identify possible solutions, and maintain operational\n           systems security. The DoD Information Technology Security Certification and\n           Accreditation Process applies to all systems requiring certification and accreditation\n           throughout their life cycle. The process is designed to adapt to any type of\n           information system and any computing environment and mission. Contractor\n           officials prepared, and MDA officials authorized, four individual SSAAs for the\n           various components of GCN and granted interim authorities to operate based on each\n           of those SSAAs. Contractor officials stated that they no longer grant multiple interim\n           authorities to operate based upon the components of GCN, but on GCN as a whole.\n           Therefore, because GCN was granted one interim authority to operate, which is the\n           result of the DoD Information Technology Security Certification and Accreditation\n           Process, it requires an SSAA. However, officials did not prepare a GCN SSAA.\n           MDA officials should prepare an overall SSAA for GCN because the SSAA contains\n           the documentation to support the interim authority to operate and applies to all\n           systems that require certification and accreditation.\n\n           Available Security Documentation. MDA officials did not prepare and update the\n           various GCN component SSAAs to adequately reflect the current operating system\n           mission, environment, and architecture. Specifically, contractor officials had not\n           prepared key documents required by OMB Circular A-130 to support the individual\n           GCN component SSAAs and did not report valid or current information in those\n           SSAAs. For instance, contingency plans and system rules of behavior had not been\n           prepared to assist users. Additionally, the SSAA for the unencrypted\n           communications system stated that an individual password was required; however,\n           the developing contractor used group passwords. The SSAAs for the unencrypted\n           equipment also identified a security concept4 for the unencrypted equipment;\n           however, that concept covered encrypted equipment instead of unencrypted\n           equipment. On the other hand, SSAAs for the encrypted equipment did not contain\n           any security concept. This oversight occurred because the encrypted equipment and\n           the unencrypted equipment were developed by two separate contractors, who were\n           not following a common set of procedures for preparing documentation.5\n\n           User Representative. The key to the DoD Information Technology Security\n           Certification and Accreditation Process is the agreement between the designated\n           approving authority, the certifying authority, the program manager, and the user\n           representative. Those individuals resolve schedule, budget, security, functionality,\n           and performance issues. A user representative is responsible for ensuring that the\n           system meets the user\xe2\x80\x99s operational need, meets the availability and integrity\n           requirements, and has a realistic security policy that can be maintained in the\n           operational environment. The GMD Deputy Designated Approving Authority stated\n           that the Joint Functional Component Command was the user of the GCN; however,\n           the GCN component SSAAs identified U.S. Northern Command as the user\n           representative. However, no user representative had endorsed those SSAAs to ensure\n\n4\n    The purpose of the security concept was to provide a description of the GCN security requirements and\n     resources needed to meet those requirements.\n5\n    Boeing is the prime contractor for the development of the GMD system, which includes the GCN.\n    Northrop Grumman is a sub-contractor to Boeing and develops all the unencrypted equipment for the\n    GMD system, which includes the unencrypted equipment for the GCN.\n\n\n\n                                                       5\n\x0c     that the needs of the user were being met. According to the GMD Deputy Designated\n     Approving Authority, the GCN has multiple users; therefore, ongoing efforts are\n     trying to determine who the user representative should be. MDA officials should\n     identify the user representative to ensure that the GCN is being developed to meet the\n     operational needs of that user.\n\n\nInformation Assurance Controls\n\n     MDA officials had not fully implemented select IA controls required to protect\n     the integrity, availability, and confidentiality of the GCN information. The GCN, a\n     contractor-owned and operated system, is reported in the Information Technology\n     Registry as a MAC I system. According to MDA Policy Memorandum, \xe2\x80\x9cMission\n     Assurance Category (MAC) Levels for Missile Defense Agency (MDA) Systems\n     and Networks,\xe2\x80\x9d August 20, 2004, all MDA systems are required to be accredited\n     in accordance with DoD Instruction 8500.2. However, GMD government\n     program and contractor officials did not develop the GCN to meet DoD\n     Instruction 8500.2 requirements. Rather, they developed the GCN to conform to\n     the standards of DoD 5200.28-STD, \xe2\x80\x9cDepartment of Defense Trusted Computer\n     System Evaluation Criteria,\xe2\x80\x9d December 26, 1985, which does not include most of\n     the IA controls required in DoD Instruction 8500.2. Further, based on a\n     cross-walk provided by the independent assessment team contracted to perform\n     the independent verification and validation function for GMD, the IA controls\n     actually being implemented were those from DoD Directive 5200.28, \xe2\x80\x9cSecurity\n     Requirements for Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988. In\n     any event, the IA controls required by DoD 5200.28-STD and DoD\n     Directive 5200.28 were outdated and did not comply with the current IA controls\n     identified in DoD Instruction 8500.2, such as IA awareness training, intrusion\n     detection, real-time monitoring, and contingency planning. MDA officials should\n     immediately implement all IA controls of DoD Instruction 8500.2 for the GMD\n     element.\n     Information Assurance Awareness Training. DoD Directive 8570.1,\n     \xe2\x80\x9cInformation Assurance Training, Certification, and Workforce Management,\xe2\x80\x9d\n     August 15, 2004, requires that all authorized users, including contractors, receive\n     IA awareness training as a condition for access to any DoD system and,\n     thereafter, complete annual IA refresher training. Contractor personnel who had\n     access to the GCN did not receive IA awareness training prior to being granted\n     access to the system. In April 2005, MDA officials implemented the IA awareness\n     training requirement for the first time; by October 2005, all GCN contractor\n     personnel had completed the training. MDA program officials for GMD stated that\n     they had not required the IA awareness training until MDA implemented the\n     IA awareness training requirement. MDA officials should continue to promote\n     awareness and provide recurring training to all employees and contractors so that all\n     government and contractor personnel are aware of their security roles and\n     responsibilities and understand current government policies and procedures, security\n     risks, and the potential threats to MDA systems.\n\n     User Access Controls. MDA and contractor officials did not conduct adequate\n     reviews for potential acts of unauthorized access into the GCN, implement consistent\n\n\n\n                                           6\n\x0cpassword procedures, or implement procedures to ensure that access was granted to\nonly those users with the required clearance and who had received IA awareness\ntraining.\n\n        Unauthorized Access Review. MDA and contractor officials did not\nconduct audit log reviews for the unencrypted communications and monitoring\nsystems of the GCN. MDA and contracting officials stated that audit log reviews\nwere only required for the encrypted communications and monitoring systems and\nthat those reviews were performed manually. Contractor officials also stated that\nmanual audit log reviews were cumbersome and time-consuming and that those\nreviews did not guarantee the detection of all relevant security violations. However,\nDoD Instruction 8500.2 requires the deployment of an automated, continuous on-\nline monitoring and audit trail capability to immediately alert personnel to any\nunusual or inappropriate activity with potential IA implications. Contractor\nofficials stated that they did not implement real-time audit log monitoring\ncapability on the GCN system because it was not in the contract. Both\ngovernment and contractor officials acknowledged that automated audit log\nmonitoring systems would be beneficial to the GCN system because predefined\nevents could be established to identify security trends and patterns of\nunauthorized access. MDA and contractor officials should integrate an automated\nmonitoring capability into the GCN in order to alert the appropriate personnel of a\nsecurity incident for the GCN system. MDA and contractor officials should also\nconduct weekly manual reviews of the audit logs for all GCN components until\nsuch time that an automated monitoring capability is installed into the system.\n\n        User Account Management. DoD Instruction 8500.2 requires that users\ngain access to DoD information systems with the use of an individual identifier\nand password. Officials did not require users to have an individual password to\naccess the unencrypted communications system of the GCN. Contractor officials\nexplained that based on the configuration of the GCN, an individual password\nwas not necessary to protect against unauthorized use. Specifically, a group\npassword was used to authenticate a user of the unencrypted communications\nsystem. However, access to that communications system could only be gained\nvia the unencrypted monitoring system, which required an individual password to\naccess that monitoring system. Contractor officials stated that plans were\nunderway to configure the unencrypted communications system to have\nrole-based passwords, which assigns the same password to a group of users with\nthe same level of access to the system. An MDA official stated that the\nreconfiguration to the passwords will not be implemented until March 2006. DoD\npolicy does not allow for individual or role-based passwords, even when the\nconfiguration of the system provides protection against unauthorized access. It is\nespecially important that MDA officials implement consistent password controls\nthat comply with DoD Instruction 8500.2 because, according to those officials,\nthe greatest risk to the GCN system was the insider threat.\n\n       DoD Instruction 8500.2 also requires the implementation of a\ncomprehensive account management process to ensure that only authorized users\ngain access to workstations, applications, and networks and that individual\naccounts designated as inactive, suspended, or terminated are promptly\ndeactivated. Contractor officials did not implement a plan or prepare procedures\nto promptly deactivate inactive, suspended, or terminated accounts. Contractor\n\n\n                                      7\n\x0c           officials stated that no user had an inactive, suspended, or terminated account as\n           of July 2005; therefore, the contractor did not believe they needed to implement\n           procedures for the deactivation of accounts. However, in November 2005,\n           contracting officials terminated two unnecessary accounts for users who no longer\n           required access to the GCN. MDA officials should require the contractor to\n           immediately prepare and implement account management procedures to include\n           deactivation of inactive, suspended, or terminated accounts.\n\n                   User Account Request Forms. DoD Instruction 8500.2 requires that the\n           IA Officer ensure that users have the requisite security clearances and supervisory\n           need-to-know authorization and are made aware of their IA responsibilities before\n           being granted access to any DoD information system. However, the initial GCN\n           IA Officer6 was not appointed until June 2005, almost a year after the GCN\n           became operational.7 The procedures used by contractor officials to control and\n           grant access to the GCN required that the user complete an account request form\n           that included the:\n\n                   \xe2\x80\xa2    user request for access;\n\n                   \xe2\x80\xa2    type of user access being requested;\n\n                   \xe2\x80\xa2    supervisor approval and signature that the user had a valid\n                        \xe2\x80\x9cneed-to-know;\xe2\x80\x9d and\n\n                   \xe2\x80\xa2    GCN security manager certification that the user had the requisite\n                        security clearance needed for the system.\n                    We reviewed the user account request forms for all GCN users. As of\n           July 2005, there were 22 user accounts for the GCN. The GCN security manager had\n           not signed any of those forms verifying that a user had the required security clearance\n           for the GCN until July 2005, approximately one year after the GCN became\n           operational. Additionally, contractors processing those user account request forms\n           stated that they did not include the actual date a user was granted access to the GCN;\n           instead, the contractors used the date the user completed the form. Additionally, the\n           GCN procedures used to control and grant access to the encrypted\n           communications and monitoring systems did not require that the user account\n           request form require the IA Officer to certify that a user had received\n           IA awareness training prior to being granted access to the GCN. Also, procedures\n           to control and grant access to the unencrypted systems were not prepared.\n           Contractor officials stated they would update the user account request form to\n           include a section for the IA Officer to certify in writing that he or she had, in fact,\n           verified the user\xe2\x80\x99s completion of the IA awareness training.\n\n                    In November 2005, contractor officials implemented the revised user\n           account request form and required GCN users to complete that form. However,\n           we identified problems with the content and completion of the revised forms.\n           First, the system administrator responsible for creating accounts on the GCN\n6\n    The IA Officers appointed for the GCN are contractor employees of MDA.\n7\nIn late 2004, the U.S. fielded an initial Ballistic Missile Defense System that can be used for limited\ndefense operations.\n\n\n\n                                                      8\n\x0ccreated his own account and granted himself all special access requirements\nallowed for the GCN; however, we could not determine whether those access\nrequirements were appropriate. Second, the revised forms were not completed by\nthe unencrypted communications and monitoring systems users. Third, the\nIA Officer and security manager at one operating location certified IA training\nrequirements and security clearances on the user account access forms for a\nlocation they were not responsible for. Fourth, two accounts were still active\nwhen those users were no longer at that operating location. Lastly, the security\nmanager certified users\xe2\x80\x99 clearances a day after our receipt of the revised forms.\nMDA officials should require the contractor to update and prepare procedures that\nrequire the user account request form to include the date users are granted initial\naccess to the system in order to track that annual IA refresher training is provided\nand require the IA Officer to certify by initialing the form that the:\n\n       \xe2\x80\xa2   user completed the IA awareness training;\n       \xe2\x80\xa2   supervisor verified the user\xe2\x80\x99s role and need-to-know; and\n       \xe2\x80\xa2   security manager certified that the user holds a valid and appropriate\n           clearance.\n\nMDA officials should also reconcile all active user accounts by operating location\nto ensure that access is still required. Additionally, MDA officials should revise\nthe user account request form to include the initial date a user was granted access\nto the GCN and include a section on the form for the IA Officer to initial that the\nform contains all required signatures and is complete and accurate. Further,\nMDA officials should review all user accounts to ensure each user was granted\nthe appropriate level of access and ensure that no user can authorize their own\naccount in the system without validation by an independent party that the access\nrequirements granted were appropriate.\nContingency and Incident Response Planning. GMD officials did not implement\nthe DoD Instruction 8500.2 IA controls for contingency and incident response\nplanning.\n\n        Contingency Plan. DoD Instruction 8500.2 requires preparation of a\ndisaster plan that provides for the smooth transfer of all mission and\nbusiness-essential functions to an alternate site with little or no loss of operational\ncontinuity. A system\xe2\x80\x99s contingency plan may be included as part of the system\xe2\x80\x99s\ndisaster recovery procedures. GMD officials stated that they had not prepared a\nformal contingency plan for the GCN because redundant operations were built\ninto the configuration of the system that would mitigate most interruptions. DoD\nInstruction 8500.2 requires formal documentation of the essential functions for\npriority restoration, the identification of an alternate location that permits the\nrestoration of those essential functions, and implementation of recovery\nprocedures to ensure recovery is done in a secure and verifiable manner.\nRegardless that the design of the GCN may reduce most interruptions, GMD\nofficials should document those procedures and operations that will prevent the\nGCN from potential loss of information or operations should an incident occur.\n\n\n\n\n                                       9\n\x0c             Incident Response Plan. Contractor officials did not prepare a formal\n     incident response plan for the GCN system. Contractor officials stated that they\n     report on equipment and communications outages; however, they do not have a\n     formal plan to report security incidents or violations. DoD Instruction 8500.2\n     requires that an incident response plan exist that identifies the responsible\n     computer network defense service provider, defines reportable incidents, outlines\n     a standard operating procedure for incident response, provides for user training,\n     and establishes an incident response team. MDA officials should require the\n     contractor to implement a formal incident response plan to ensure employees are\n     made aware of the incident response procedures to alert the appropriate parties if\n     an incident occurs.\n\n\nPlan of Action and Milestones\n     MDA officials did not implement a formal plan that would assist in identifying,\n     assessing, prioritizing, and monitoring the progress of corrective efforts for security\n     weaknesses identified for the GCN, which operated under an interim authority to\n     operate. According to DoD 8510.1-M, an interim authority to operate is issued when\n     the system does not meet the system security requirements but the mission criticality\n     mandates that it become operational. The Assistant Secretary of Defense for\n     Networks and Information Integration/Chief Information Officer Memorandum,\n     \xe2\x80\x9cDepartment of Defense (DoD) Federal Information Security Management Act\n     (FISMA) Guidance for Fiscal Year 2005 (FY05),\xe2\x80\x9d April 18, 2005, required that DoD\n     Components prepare and submit a POA&M that identifies the solution, schedule,\n     security actions, and milestones necessary for mitigating identified security\n     weaknesses. It is especially important to prepare a POA&M for systems operating\n     under an interim authority to operate.\n\n     Although contractor officials routinely assessed the GCN to identify IA security\n     weaknesses, the developing contractor and the independent assessment team\n     contractor maintained the results of those assessments separately. The MDA\n     program office for GMD did not prepare a POA&M that readily identified the\n     weaknesses, the tasks and resources needed to mitigate the weaknesses, the\n     milestones, and scheduled completion dates for the milestones. Although aspects of a\n     POA&M were maintained separately and weaknesses tracked through mitigation\n     schedules, the information was not maintained centrally by the MDA program office\n     for GMD. Subsequent to our review, MDA officials consolidated the IA weaknesses\n     of the developing contractor and the independent assessment team contractor, and in\n     September 2005, provided a plan that met the requirements of a POA&M. MDA\n     officials should conduct quarterly reviews and updates of the POA&M in order to\n     measure and monitor the progress of efforts needed to mitigate the security\n     weaknesses identified for the GCN, including all weaknesses identified by this audit.\n     We commend management for taking initial corrective action on this issue.\n\n\n\n\n                                           10\n\x0cManagement Controls\n\n            MDA officials did not implement IA controls and prepare required documents\n            because they did not conduct adequate oversight of the GCN IA program, update the\n            development contract to adhere to DoD policy, or assign IA roles and responsibilities\n            for the GCN development process.\n\n            Contractor officials stated that because the GCN had been in development for\n            approximately five years, it would have been too costly to modify the development\n            contract to implement the IA controls required in DoD Instruction 8500.2; however,\n            security requirements cannot simply be waived based on cost. MDA Policy\n            Memorandum, \xe2\x80\x9cMission Assurance Category (MAC) Levels for Missile Defense\n            Agency (MDA) Systems and Networks,\xe2\x80\x9d August 20, 2004, required that MDA\n            systems and networks not accredited in accordance with DoD Instruction 8500.2\n            be approved in writing from the MDA Designated Approving Authority;\n            however, no written approval was obtained. Additionally, the MDA CIO stated\n            that although the contractor had not implemented all the IA controls required by DoD\n            Instruction 8500.2, the standards used, DoD 5200.28-STD, met approximately\n            85 percent of those IA controls. However, that standard is twenty years old and does\n            not include requirements for the current IA controls of DoD Instruction 8500.2.\n            Also, the GCN program office was not involved in the preparation of the available\n            security documentation.\n\n            MDA officials had not prepared IA policies for incident response and recovery,\n            passwords, configuration change, IA training, and audit management. MDA officials\n            only first entered into a contract for the development of those IA policies in\n            June 2005, after an assessment of their IA program conducted by the National\n            Security Agency. GMD program and contractor officials stated that at the time, IA\n            had not been emphasized by MDA and that they were not aware of their\n            IA responsibilities. Additionally, an IA Manager8 responsible for oversight of the\n            GMD system\xe2\x80\x99s IA program was not appointed until July 2005 and the IA Officers\n            were not appointed until the last six months of the five year development of the GCN.\n\n\nConclusion\n            MDA and contractor officials may not be able to reduce the risk and magnitude of\n            harm resulting from misuse or unauthorized access to or modification of the\n            information of the GCN, and ensure the continuity of the system in the event of an\n            interruption. Additionally, the MDA CIO and Designated Approving Authority may\n            not be able to make appropriate management-level decisions relating to the security\n            of the GCN if contingency and incident response plans are not prepared or tested and\n            the system security plan is not prepared and updated on a recurring basis. MDA and\n            contractor officials must immediately comply with all Federal, DoD, and MDA\n8\n    The IA Manager, an MDA government employee, is responsible for developing and maintaining the GMD\n     IA program to include identifying the IA objectives and policies, ensure the development and\n     maintenance of IA certification documents, maintain a repository of IA certification and accreditation\n     documents, ensure that IA Officers are appointed in writing and provide oversight to ensure that they are\n     following IA policies, and ensure that IA Officers receive necessary IA training.\n\n\n\n                                                       11\n\x0c    system security requirements for GCN, emphasize the importance of IA to MDA and\n    contractor employees, conduct timely IA awareness training of GCN users, conduct\n    reviews of unauthorized access, and implement password procedures and controls for\n    user access so that the confidentiality, integrity, and availability of the information in\n    the GCN is not compromised and is protected to the highest level possible.\n\n\nRecommendations, Management Comments, and\n  Audit Response\n    Revised Recommendation. We revised Recommendation 1. to request that MDA\n    identify the primary user representative for the GCN, rather than for the GMD, so\n    that the GCN meets the user\xe2\x80\x99s operational need.\n    We recommend that the Director, Missile Defense Agency ensure that the Chief\n    Information Officer, Missile Defense Agency:\n\n    1. Completes the System Security Authorization Agreement process for the\n    Ground-Based Midcourse Defense Communications Network in full\n    compliance with Office of Management and Budget Circular A-130,\n    \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d November 30, 2000, and\n    DoD 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology Security\n    Certification and Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d\n    July 31, 2000, by April 1, 2006 and identify the primary user representative\n    for the Ground-Based Midcourse Defense Communications Network to\n    ensure that the network will meet the user\xe2\x80\x99s operational need; will meet the\n    availability and integrity requirements; and has a realistic security policy\n    that can be maintained in the operational environment.\n\n    Management Comments. The Deputy Director, MDA, responding for the\n    Director, MDA, concurred that a single SSAA would be prepared for the GCN,\n    stating that the single SSAA would be staffed for signature with the GMD\n    Program Director. However, the Deputy Director nonconcurred with identifying\n    the primary user representative for the GCN stating that a user representative had\n    authorized the GMD and the Ballistic Missile Defense System SSAAs.\n\n    Audit Response. The Deputy Director, MDA, responding for the Director,\n    MDA, comments were partially responsive. We revised this recommendation and\n    request that MDA identify the primary user representative for the GCN, rather\n    than for the GMD, so that the GCN meets the user\xe2\x80\x99s operational need.\n\n    2. Immediately implements all information assurance controls required in\n    DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\n    February 6, 2003, for Mission Assurance Category I and classified systems.\n    Specifically,\n\n         a. Prepare and implement procedures for the Ground-Based\n    Midcourse Defense Communications Network to:\n\n                    (1) Deactivate inactive, suspended, and terminated accounts.\n\n\n                                           12\n\x0c               (2) Mandate that the information assurance officer track the\ndate a user is granted access to the system, certify the user completed\ninformation assurance awareness training, and verify that the user has a\nvalid and appropriate security clearance.\n\n             (3) Require that an independent party validate in the\nGround-Based Midcourse Defense Communications Network that access\nrequirements granted were appropriate when a user creates their own\naccount.\n\n        Management Comments. The Deputy Director, MDA, responding for\nthe Director, MDA, concurred stating that the prime contractor implemented the\nprocess to deactivate inactive, suspended, and terminated accounts and that since\nthe establishment of the IA Officers, a common process and forms for granting\naccess was developed, audited, and verified.\n\n        Audit Response. The Deputy Director, MDA, responding for the\nDirector, MDA, comments were responsive to the recommendation; therefore, no\nfurther comments are required.\n\n      b. Update the Ground-Based Midcourse Defense Communications\nNetwork configuration to include:\n\n            (1) Automated monitoring of the unencrypted and encrypted\ncommunications and monitoring systems; and\n\n            (2) Individual user passwords to access the unencrypted\ncommunications system.\n\n        Management Comments. The Deputy Director, MDA, responding for\nthe Director, MDA, concurred stating that current equipment is not capable of\nperforming automated audit log assessment. Until that capability is available\nmanual reviews are conducted weekly. Additionally, the Deputy Director stated\nthat shared passwords have been eliminated with the release of the 4B.1 software\nbuild. However, on February 1, 2006, a contracting official stated that the\n4B.1 software build would not be released until May 2006.\n\n        Audit Response. The Deputy Director, MDA, responding for the\nDirector, MDA, comments were nonresponsive. The Deputy Director did not\nstate whether the automated audit log capability would be implemented on the\nGCN. While we acknowledge that management has implemented the requirement\nfor weekly manual reviews, management must ensure that an automated audit log\ncapability is implemented in the system. Additionally, as stated in this report,\nplans were underway to configure the unencrypted communications system\nduring the 4B.1 software build to have role-based passwords, which would assign\nthe same password to a group of users with the same level of access to the system,\nrather than individual passwords. However, DoD policy does not allow for\nindividual or role-based passwords. Further, management comments were\ninconsistent as to when the 4B.1 software build would be implemented. We\nrequest that management provide additional comments to identify when\n\n\n\n                                    13\n\x0cindividual passwords, not role-based passwords, would be implemented for the\nunencrypted communications system of the GCN.\n\n       c. Prepare a contingency plan for the Ground-Based Midcourse\nDefense Communications Network that meets the requirements of DoD\nInstruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\nFebruary 6, 2003, and the National Institute of Standards and Technology\nSpecial Publication 800-34, \xe2\x80\x9cContingency Planning Guide for Information\nTechnology Systems,\xe2\x80\x9d June 2002.\n\n        Management Comments. The Deputy Director, MDA, responding for\nthe Director, MDA, concurred stating that a pending engineer change proposal\nstatement of work will address the IA requirements. The Deputy Director also\nstated that contingency plans were present at each site.\n\n        Audit Response. The Deputy Director, MDA, responding for the\nDirector, MDA, comments were partially responsive. Although the Deputy\nDirector stated that plans were underway to prepare a contingency plan, he did\nnot state whether it would be prepared in accordance with DoD Instruction 8500.2\nand National Institute of Standards and Technology Special Publication 800-34.\nAdditionally, MDA and contracting officials at the sites told the audit team that\nthere were no contingency plans in place. We request that management provide\nadditional comments to identify whether the contingency plan will be prepared in\naccordance with DoD Instruction 8500.2 and National Institute of Standards and\nTechnology Special Publication 800-34.\n\n       d. Prepare an incident response plan for the Ground-Based\nMidcourse Defense Communications Network that meets the requirements of\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\nFebruary 6, 2003, and the National Institute of Standards and Technology\nSpecial Publication 800-61, \xe2\x80\x9cComputer Security Incident Handling Guide,\xe2\x80\x9d\nJanuary 2004.\n\n        Management Comments. The Deputy Director, MDA, responding for\nthe Director, MDA, concurred stating that a pending engineer change proposal\nstatement of work will address the IA requirements. The Deputy Director also\nstated that incident response plans were present at each site.\n\n        Audit Response. The Deputy Director, MDA, responding for the\nDirector, MDA, comments were partially responsive. Although the Deputy\nDirector stated that plans were underway to prepare an incident response plan, he\ndid not state whether it would be prepared in accordance with DoD\nInstruction 8500.2 and National Institute of Standards and Technology Special\nPublication 800-61. Additionally, MDA and contracting officials at the sites told\nthe audit team that there were no incident response plans in place. We request\nthat management provide additional comments to identify whether the incident\nresponse plan will be prepared in accordance with DoD Instruction 8500.2 and\nNational Institute of Standards and Technology Special Publication 800-61.\n\n3. Maintains the information assurance training program for all Missile\nDefense Agency and contractor personnel associated with the Ground-Based\n\n\n                                    14\n\x0cMidcourse Defense Communications Network in accordance with DoD\nDirective 8570.1, \xe2\x80\x9cInformation Assurance Training, Certification, and\nWorkforce Management,\xe2\x80\x9d August 15, 2004.\n\nManagement Comments. The Deputy Director, MDA, responding for the\nDirector, MDA, concurred stating that the training process is uniform across all\nthe components and contractors.\n\nAudit Response. The Deputy Director, MDA, responding for the Director,\nMDA, comments were responsive to the recommendation; therefore, no further\ncomments are required.\n\n4. Updates the Plan of Action and Milestones to include all security\nweaknesses identified for the Ground-Based Midcourse Defense\nCommunications Network, including all weaknesses identified in this review.\n\nManagement Comments. The Deputy Director, MDA, responding for the\nDirector, MDA, concurred stating that the POA&M will be reviewed quarterly to\nupdate and include new actions and milestones, such as the DoD, Office of the\nInspector General findings.\n\nAudit Response. The Deputy Director, MDA, responding for the Director,\nMDA, comments were responsive to the recommendation; therefore, no further\ncomments are required.\n\n5. Reports in the Missile Defense Agency\xe2\x80\x99s Annual Statement of Assurance\nthe information assurance weaknesses identified in this report for the\nGround-Based Midcourse Defense Communications Network.\n\nManagement Comments. The Deputy Director, MDA, responding for the\nDirector, MDA, concurred stating that a change to the MDA Annual Statement of\nAssurance will be considered at the annual update.\n\nAudit Response. The Deputy Director, MDA, responding for the Director,\nMDA, comments were nonresponsive. We request that management reconsider\ntheir position and include all the information assurance weaknesses identified in\nthis report in the MDA Annual Statement of Assurance to ensure full disclosure\nof system IA weaknesses and management efforts to address those weaknesses.\n\n\n\n\n                                    15\n\x0cAppendix A. Scope and Methodology\n            We queried the DoD Information Technology Registry in March 2005 to identify the\n            MDA information systems designated as mission critical.* Each system identified as\n            mission critical was also designated as a MAC I system. We selected the GCN, a\n            mission critical MAC I system, for review. We assessed the adequacy of\n            documentation based on select operational or IA controls designated for the GCN. In\n            DoD guidance, operational controls are included in the definition of IA controls so\n            our report uses the term IA and operational controls interchangeably. We evaluated\n            select IA controls relating to IA awareness training, user access controls, and\n            contingency planning for the GCN system based on the requirements of DoD\n            Instruction 8500.2, DoD 8510.1-M, DoD Directive 8570.1, DoD 5200.28-STD, OMB\n            Memorandum 02-01, OMB Circular A-130, and MDA Policy Memoranda. The\n            policy and guidance reviewed were dated from December 1985 through April 2005.\n\n            We reviewed the following GCN documents: the System Security Authorization\n            Agreements, the Interim Authority to Operate Memoranda, appointment letters,\n            IA awareness and role-based training certificates, training plans, audit logs, user\n            account request forms, user access listings, configuration management plans, and risk\n            management plans. We reviewed the relevant documents dated from May 2004\n            through November 2005.\n\n            We visited the GMD Joint Program Office in Huntsville, Alabama, and the Joint\n            National Integration Center, in Colorado Springs, Colorado. Although we did not\n            visit Ft. Greely, Alaska, the GMD Joint Program Office provided the IA policies\n            and procedures (which were the same as the Joint National Integration Center)\n            and the user-specific documents for that location.\n\n            We conducted interviews with the MDA CIO, the GMD Deputy Designated\n            Approving Authority, the GMD Certifying Authority, the GMD IA Manager, GMD\n            IA Officers, MDA officials responsible for updating the Information Technology\n            Registry, GCN privileged users, the contractors developing the GCN, and the\n            independent verification and validation contractor team.\n\n            We performed this audit from April 2005 to December 2005 in accordance with\n            generally accepted government auditing standards.\n\n            Use of Computer-Processed Data. We did not use computer-processed data to\n            perform this audit.\n\n            Government Accountability Office High-Risk Area. The Government\n            Accountability Office (GAO) has identified several high-risk areas in DoD. This\n            report provides coverage of the Protecting the Federal Government\xe2\x80\x99s Information-\n            Sharing Mechanisms and the Nation\xe2\x80\x99s Critical Infrastructures high risk area.\n\n\n\n*\n    Mission Critical systems are those systems that the loss of which would cause the stoppage of warfighter\n    operations or direct mission support of warfighter operations.\n\n\n\n                                                       16\n\x0cAppendix B. Prior Coverage\n      During the last 5 years, the GAO and the DoD Inspector General (IG) issued\n      10 reports that discuss the reliability of DoD information technology budget\n      submissions. Unrestricted GAO reports can be accessed over the Internet at\n      http://www.gao.gov. Unrestricted DoD Inspector General reports can be accessed at\n      http://www.dodig.mil/audit/reports.\n\n\nGAO\n      GAO Report No. GAO-05-552, \xe2\x80\x9cWeaknesses Persist at Federal Agencies Despite\n      Progress Made in Implementing Related Statutory Requirements,\xe2\x80\x9d July 15, 2005\n\n      GAO Report No. GAO-05-381, \xe2\x80\x9cDoD Business System Modernization: Billions\n      Being Invested Without Adequate Oversight,\xe2\x80\x9d April 29, 2005\n\n      GAO Report No. GAO-04-858, \xe2\x80\x9cDefense Acquisitions: The Global Information Grid\n      and Challenges Facing Its Implementation,\xe2\x80\x9d July 28, 2004\n\n      GAO Report No. GAO-04-823, \xe2\x80\x9cFederal Chief Information Officers:\n      Responsibilities, Reporting Relationships, Tenure, and Challenges,\xe2\x80\x9d July 21, 2004\n\n      GAO Report No. GAO-04-615, \xe2\x80\x9cDoD Business System Modernization: Billions\n      Continue to Be Invested with Inadequate Management Oversight and\n      Accountability,\xe2\x80\x9d May 27, 2004\n\n\nDoD IG\n\n      DoD IG Report No. D-2005-099, \xe2\x80\x9cStatus of Selected DoD Policy on Information\n      Technology Governance,\xe2\x80\x9d August 19, 2005\n\n      DoD IG Report No. D-2005-094, \xe2\x80\x9cProposed DoD Information Assurance\n      Certification and Accreditation Process,\xe2\x80\x9d July 21, 2005\n\n      DoD IG Report No. D-2005-054, \xe2\x80\x9cDoD Information Technology Security\n      Certification and Accreditation Process,\xe2\x80\x9d April 28, 2005\n\n      DoD IG Report No. D-2005-029, \xe2\x80\x9cManagement of Information Technology\n      Resources Within DoD,\xe2\x80\x9d January 27, 2005\n\n      DoD IG Report No. D-2005-023, \xe2\x80\x9cAssessment of DoD Plan of Action and Milestone\n      Process,\xe2\x80\x9d December 13, 2004\n\n\n\n\n                                           17\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Director, Defense Business Transformation Agency\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Networks and Information Integration/Chief\n   Information Officer\nAssistant Secretary of Defense for Health Affairs/Chief Information Officer\nAssistant Secretary of Defense for Intelligence Oversight/Chief Information Officer\nChief Information Officer, Office of the Secretary of Defense\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\nChief Information Officer, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\nChief Information Officer, Department of Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nNaval Inspector General\nAuditor General, Department of the Navy\nChief Information Officer, Department of the Navy\nChief Information Officer, U.S. Marine Corps\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\n\n\n\n\n                                             18\n\x0cUnified Commands\nChief Information Officer, U.S. Central Command\nChief Information Officer, U.S. European Command\nChief Information Officer, U.S. Joint Forces Command\nChief Information Officer, U.S. Northern Command\nChief Information Officer, U.S. Pacific Command\nChief Information Officer, U.S. Southern Command\nChief Information Officer, U.S. Special Operations Command\nChief Information Officer, U.S. Strategic Command\nChief Information Officer, U.S. Transportation Command\n\nOther Defense Organizations\nDirector, Missile Defense Agency\nChief Information Officer, American Forces Information Service\nChief Information Officer, Defense Advanced Research Projects Agency\nChief Information Officer, Defense Contract Audit Agency\nChief Information Officer, Defense Contract Management Agency\nChief Information Officer, Defense Commissary Agency\nChief Information Officer, Defense Finance and Accounting Agency\nChief Information Officer, Defense Human Resource Activity\nChief Information Officer, Defense Information Systems Agency\nChief Information Officer, Defense Logistics Agency\nChief Information Officer, Department of Defense Education Activity\nChief Information Officer, Department of Defense Inspector General\nChief Information Officer, Defense Security Cooperation Agency\nChief Information Officer, Defense Security Service\nChief Information Officer, Defense Technical Information Center\nChief Information Officer, Defense Threat Reduction Agency\nChief Information Officer, DoD Test Resources Management Center\nChief Information Officer, Defense Technology Security Administration\nChief Information Officer, Missile Defense Agency\nChief Information Officer, Pentagon Force Protection Agency\nChief Information Officer, TRICARE Management Agency\nChief Information Officer, U.S. Mission North Atlantic Treaty Organization\nChief Information Officer, Washington Headquarters Service\n\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          19\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee on\n   Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International Relations,\n   Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations, and\n   the Census, Committee on Government Reform\n\n\n\n\n                                           20\n\x0cMissile Defense Agency Comments\n\n\n\n\n                     21\n\x0c22\n\x0c23\n\x0c24\n\x0c25\n\x0cFinal Report\n Reference\n\n\n\n\nRevised\nRecommen-\ndation 1.\n\n\n\n\n               26\n\x0c27\n\x0c28\n\x0c29\n\x0c30\n\x0c31\n\x0c32\n\x0c33\n\x0c34\n\x0c35\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Logistics Support prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nKathryn M. Truex\nKaren J. Lamar\nGeorge A. Leighton\nCourtney E. Woodruff\nTina N. Brunetti\nDawn M. Russell\n\x0c"